gradle-witness
gradle-witness copied to clipboard
signalapp
extend to gradle plugins
Since the whole gradle build process for Android relies on downloading plugins from jcenter, we really need a way to do what gradle-witness does, but for those plugins. @dschuermann already made it possible to have the gradle wrapper verify the sha256 of gradle binaries it downloads: https://github.com/gradle/gradle/pull/448 The missing piece remains gradle plugins.
This is probably the most essential bit to verify:
classpath 'com.android.tools.build:gradle:1.2.3'
+1. It would also be nice to have a tool or "best practice" for validating the wrapper scripts and jars that bootstrap most builds.
I created a topic on the Gradle forum that includes this issue: https://discuss.gradle.org/t/jar-validation-via-hashes-or-signatures/12238
Really, the gradle-wrapper should validate what it downloads automatically, whenever possible. That should be easy for any gradle binary, since those all have a stable sha256 hash, and there are not very many of them (about 20?). Those hashes just need to be included in gradle-wrapper and mapped to the right file/URL.
Just in case: Gradle's DependencyResolutionListener is able to verify plugins as well.
Plugin: https://github.com/vlsi/vlsi-release-plugins#checksum-dependency-plugin https://plugins.gradle.org/plugin/com.github.vlsi.checksum-dependency
Sample use: https://github.com/vlsi/vlsi-release-plugins/commit/208734b6e9d67c11d0d697f883f3e23107284820
The key idea is to add the plugin right into settings.gradle file, so it is executed way before all other plugins are loaded.
